CN101515931B - Method for enhancing the database security based on agent way - Google Patents
Method for enhancing the database security based on agent way Download PDFInfo
- Publication number
- CN101515931B CN101515931B CN200910080856A CN200910080856A CN101515931B CN 101515931 B CN101515931 B CN 101515931B CN 200910080856 A CN200910080856 A CN 200910080856A CN 200910080856 A CN200910080856 A CN 200910080856A CN 101515931 B CN101515931 B CN 101515931B
- Authority
- CN
- China
- Prior art keywords
- request
- database
- order
- database server
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention discloses a method for enhancing the database security based on an agent way, belonging to the technical field of the database and the information security. A requesting survey and filtration mechanism is deployed between an application server and a database server and comprises address mapping of the database server, entitlement management being independent of a database and dangerous command management function so as to finally achieve the purpose of enhancing the access security of the database; wherein the address mapping of the database server is the precondition of realizing independent entitlement management and dangerous command management function. In addition, the method is fully transparent for an application system accessing the database; the existing application system does not need to be changed after the method is deployed. The address mapping mechanism realizes the mapping function of an interface and hides a real IP address and the interface; therefore, an attacker can not directly interact with the database server, thus effectively increasing the security of the database.
Description
Technical field
The invention belongs to database and field of information security technology, relate to a kind of safe Enhancement Method of database.
Background technology
In information system, database application very extensively.Database Systems are being stored the data of most worthy information in the system as the aggregation of information, are the core components of information system, and therefore, safeness of Data Bank is very important.
Under network environment, the safety problem that Database Systems are faced comprises:
(1) the too high problem of DBA (DBA) authority.The level of security of present widely used Database Systems is the C2 level, and what this type systematic adopted aspect access control is autonomous access control (DAC) pattern.Under this pattern, DBA role has paramount authority, and user's authority can unrestrictedly propagate, and this just makes and obtains the target that DBA role becomes assailant's (like network hacker).In case the assailant has obtained DBA role, just mean that database will have no fail safe and can say its thorough exposure.
(2) Database Systems security breaches problem.According to the data of having announced, there are many security risks in database, wherein much is fatal defective and leak.For example, buffer-overflow vulnerability or SQL injection loophole.Thereby wherein many leaks very victim utilization are easily initiated invasion or are destroyed, and cause the leakage of confidential data or system's control.
(3) suffer the malicious attack problem.Because database storage the data of most worthy, is the core component of information system, it all the time all might be under attack.Adopt modes such as TCP, password attack, buffer overflow attack, SQL injection attacks and Denial of Service attack such as the assailant.These attacks cause very serious threat all will for the safety of database.
Summary of the invention
The objective of the invention is to propose a kind of database security Enhancement Method based on agent way in order to solve the safety problem of database access inlet.Its core is: between application server and database server, dispose a request checking and strobe utility.This mechanism comprises the map addresses of database server, the empowerment management that is independent of database and dangerous order management function, finally reaches to strengthen the database entry purpose of safety.Wherein, the map addresses of database server is to realize the precondition of independent empowerment management, dangerous order management function.Simultaneously, this method is fully transparent for the application system of accessing database, need not after the deployment change is done by the existing application system.
A kind of database security Enhancement Method based on agent way, its technical scheme is following:
Through first network interface and second network interface are provided, first network interface is linked to each other with database server, second network interface is linked to each other with application server, make application server directly not connect database server.Through between two network interfaces, transmitting data, the map addresses of fulfillment database server.
When application server when database server sends access request; At first this access request is independent of the empowerment management of database; Promptly; Each requestor of unique examination is made up in IP address and user name, thus the requestor is carried out empowerment management, and be not only to adopt user name to screen.At this moment, judge request type earlier, carry out corresponding response policy according to request type.When request type is request of data, whether comprise the judgement of command calls to it, if it comprises command calls, this request of data is carried out dangerous order management, that is, judge command type earlier, carry out corresponding response policy according to command type again.In this way, can realize screening the data disclosure that causes in the time of effectively to avoid the assailant to obtain high authority than the more accurate user of Database Systems itself.After empowerment management that is independent of database and the completion of dangerous order management, will be forwarded to database server through the access request of check.In time find thus and prevention unauthorized access and attack.
The data of transmitting to second network interface from first network interface are database server application server request responding, at this moment, it directly are forwarded to application server.
Beneficial effect
The present invention strengthens safeness of Data Bank with the mode based on the agency, mainly shows following several aspect:
(1) Address Mapping of the present invention has been hidden the true address of database server.
Before the call address mapping mechanism, database server directly externally exposes, and the port that the assailant can scanning server obtains the type of database and operating system according to the return information of server, and then carries out attack such as password conjecture.
After the call address mapping mechanism, isolated between database server and the application server.The port mapping function that Address Mapping realizes has been hidden real IP address and port, the assailant can not be directly and database server mutual, improved safeness of Data Bank.
(2) the present invention provides the secondary that is independent of database empowerment management.
Before introducing secondary empowerment management mechanism, owing to database directly is connected with application program, and can only carry out authentication through password, database receives the connection of the fake user that comes from different IP addresses and the attack of malice easily.Because DBA role has super authority, when malicious attacker was brought up to DBA through the method stealing password or SQL and inject with oneself role, entire database will be fully by its manipulation.Application server also very easily in the process of similar SQL injection attacks, becomes assailant's springboard.
Introduce after the secondary empowerment management mechanism, application program must be through secondary empowerment management mechanism and two-layer authentication of Database Systems and scope check to the visit of database.
Secondary empowerment management mechanism is used visitor of the unique examination of combination of IP address and user name, and " the IP& user " that only be stored in the white list could connect database.Secondary empowerment management mechanism provides and Database Systems authorization check fully independently, and rights management is carried out in each " IP& user name " combination.The management of authority can be as accurate as field level.
Through re-authentication and secondary rights management, the assailant is difficult to forge connection and directly attacks.And; Even if the assailant successfully brings up to DBA with the role through alternate manner, because the secondary rights management mechanism provides independently rights management, the assailant still can only obtain limited authority; Can not obtain real DBA privilege, improve safeness of Data Bank.
(3) adopt dangerous order management mechanism, effectively take precautions against attack database.
Dangerous order management mechanism can detect in real time the user to the dangerous system command that database carries out call, buffering area overflows and attack such as SQL injections, blocks attack automatically, and audit details of attack have down improved safeness of Data Bank.
Description of drawings
Fig. 1 is the overview flow chart of the database security Enhancement Method based on agent way of the present invention;
Fig. 2 is for being independent of the flow chart of the empowerment management of database in the method shown in Figure 1;
Fig. 3 is the flow chart of dangerous order management in the method shown in Figure 1.
Embodiment
Below in conjunction with accompanying drawing execution mode of the present invention is explained further details.
Through first network interface and second network interface are provided, first network interface is linked to each other with database server, second network interface is linked to each other with application server, make application server directly not connect database server.Through between two network interfaces, transmitting data, the map addresses of fulfillment database server.
When application server when database server sends access request, at first this request is independent of the empowerment management of database, performing step is following:
Step 1, the database request that client application is initiated communicate protocol analysis, restore SQL statement.
Step 2, judge request type, and carry out corresponding response policy according to request type:
(1) if connection request checks at first whether " the IP& user name " of client is authorized to, whether the database that the request of reexamining connects is authorized to.If the processing that do not allow to visit (like audit, make inefficacys, break off connection etc.) is then made in any authorization check failure; If request is then transmitted this and is asked to database server for being authorized to.
(2) if request of data is then resolved SQL statement, according to authorization message, whether table, view and the field of inspection user request are authorized to.If request is not authorized to, then makes and do not allow the processing of visiting; If whether request then comprises command calls in the judgment data request for being authorized to, if do not comprise command calls, then request is forwarded to database server, otherwise, this request of data is carried out dangerous order management, performing step is following:
The type of step 1, decision request order.
Step 2, according to the order concrete condition carry out corresponding response policy:
(1) if system command, the function of checking system order.If the function of ordering possibly revealed the information or the executive operating system of operating system and database and order, then the prior strategy of formulating of basis responds (like the inefficacy of auditing, make, disconnection connection etc.);
(2) if order has the SQL injection loophole, then whether decision request comprises the SQL injection attacks.As if comprising the SQL injection attacks, then the prior strategy of formulating of basis responds (like the inefficacy of auditing, make, disconnection connection etc.);
(3) if order has buffer overflow attack danger, then check whether comprise buffer overflow attack in the command parameter.Comprise buffer overflow attack as if ordering, then the prior strategy of formulating of basis responds (like the inefficacy of auditing, make, disconnection connection etc.);
If system command can not threaten system safety, perhaps do not comprise SQL injection attacks statement, perhaps do not comprise buffer overflow attack, when perhaps order is for normal commands, access request is forwarded to database server.
Database server is made response to it after receiving the access request of client.This response directly is forwarded to client.
Claims (1)
1. database security Enhancement Method based on agent way is characterized in that technical scheme is following:
Through first network interface and second network interface are provided, first network interface is linked to each other with database server, second network interface is linked to each other with application server, make application server directly not connect database server; Through between two network interfaces, transmitting data, the map addresses of fulfillment database server;
When application server when database server sends access request, at first this access request is independent of the empowerment management of database, promptly; Each requestor of unique examination is made up in IP address and user name; Thus the requestor is carried out empowerment management, and be not only to adopt user name to screen, at this moment; Judge request type earlier, carry out corresponding response policy according to request type; When request type is request of data, whether comprise the judgement of command calls to it, if it comprises command calls, this request of data is carried out dangerous order management, that is, judge command type earlier, carry out corresponding response policy according to command type again;
The data of transmitting to second network interface from first network interface are database server application server request responding, at this moment, it directly are forwarded to application server;
The concrete performing step of the described empowerment management that is independent of database is following:
Step 1, the database request that client application is initiated communicate protocol analysis, restore SQL statement;
Step 2, judge request type, and carry out corresponding response policy according to request type:
(1) if connection request checks at first whether " the IP& user name " of client is authorized to, whether the database that the request of reexamining connects is authorized to;
If any authorization check failure is then made and is not allowed the processing of visiting; If request is then transmitted this and is asked to database server for being authorized to;
(2) if request of data is then resolved SQL statement, according to authorization message, whether table, view and the field of inspection user request are authorized to;
If request is not authorized to, then makes and do not allow the processing of visiting; If whether request then comprises command calls in the judgment data request for being authorized to, if do not comprise command calls, then request is forwarded to database server, otherwise, this request of data is carried out dangerous order management, performing step is following:
The type of step I, decision request order;
Step II, according to the order concrete condition carry out corresponding response policy:
1. if system command, the function of checking system order;
If the function of order possibly revealed the information or the executive operating system order of operating system and database, then respond according to the strategy of formulating in advance;
If 2. order has the SQL injection loophole, then whether decision request comprises the SQL injection attacks;
If comprise the SQL injection attacks, then respond according to the strategy of formulating in advance;
If 3. order has buffer overflow attack danger, then check whether comprise buffer overflow attack in the command parameter;
If order comprises buffer overflow attack, then respond according to the strategy of formulating in advance;
If system command can not threaten system safety, perhaps do not comprise SQL injection attacks statement, perhaps do not comprise buffer overflow attack, when perhaps order is for normal commands, access request is forwarded to database server;
Database server is made response to it after receiving the access request of client, and this response directly is forwarded to client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910080856A CN101515931B (en) | 2009-03-24 | 2009-03-24 | Method for enhancing the database security based on agent way |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910080856A CN101515931B (en) | 2009-03-24 | 2009-03-24 | Method for enhancing the database security based on agent way |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101515931A CN101515931A (en) | 2009-08-26 |
| CN101515931B true CN101515931B (en) | 2012-09-19 |
Family
ID=41040224
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910080856A Expired - Fee Related CN101515931B (en) | 2009-03-24 | 2009-03-24 | Method for enhancing the database security based on agent way |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101515931B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107784221A (en) * | 2016-08-30 | 2018-03-09 | 阿里巴巴集团控股有限公司 | Authority control method, service providing method, device, system and electronic equipment |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102045310B (en) * | 2009-10-14 | 2015-07-15 | 上海可鲁系统软件有限公司 | Industrial Internet intrusion detection as well as defense method and device |
| CN102255924B (en) * | 2011-08-29 | 2013-11-06 | 浙江中烟工业有限责任公司 | Multi-stage security interconnection platform based on trusted computing and processing flow thereof |
| CN102722667B (en) * | 2012-03-07 | 2015-12-02 | 甘肃省电力公司信息通信公司 | Based on the database safeguarding system and method for virtual data base and virtual patch |
| CN103338208B (en) * | 2013-07-16 | 2017-05-24 | 五八同城信息技术有限公司 | Method and system for SQL injection and defense |
| CN103473353B (en) * | 2013-09-25 | 2017-02-08 | 上海交通大学 | Web safety-oriented database security protection method and system |
| CN104166812B (en) * | 2014-06-25 | 2017-05-24 | 中国航天科工集团第二研究院七〇六所 | Database safety access control method based on independent authorization |
| CN104766023B (en) * | 2015-02-02 | 2017-09-19 | 苏州全维软件科技有限公司 | User management method based on ORACLE databases |
| CN109766686A (en) * | 2018-04-25 | 2019-05-17 | 新华三大数据技术有限公司 | Rights management |
| CN110381016A (en) * | 2019-06-11 | 2019-10-25 | 辽宁途隆科技有限公司 | The means of defence and device, storage medium, computer equipment of CC attack |
| CN110457897A (en) * | 2019-07-17 | 2019-11-15 | 福建龙田网络科技有限公司 | A kind of database security detection method based on communication protocol and SQL syntax |
| CN112989403B (en) * | 2019-12-18 | 2023-09-29 | 拓尔思天行网安信息技术有限责任公司 | Database damage detection method, device, equipment and storage medium |
| CN112491813B (en) * | 2020-11-10 | 2022-09-06 | 深圳市中博科创信息技术有限公司 | Instruction transmission control method and device and computer readable storage medium |
| CN113190839A (en) * | 2021-03-29 | 2021-07-30 | 贵州电网有限责任公司 | Web attack protection method and system based on SQL injection |
| CN114531266A (en) * | 2021-12-03 | 2022-05-24 | 国网浙江省电力有限公司嘉兴供电公司 | Power distribution network data protection system and method based on intermediate database |
| CN115514585B (en) * | 2022-11-23 | 2023-03-24 | 北京数字众智科技有限公司 | Database security management method and system |
| CN117271376A (en) * | 2023-11-22 | 2023-12-22 | 天津华来科技股份有限公司 | SQLMap-based interface SQL injection detection optimization method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1858738A (en) * | 2006-02-15 | 2006-11-08 | 华为技术有限公司 | Method and device for access data bank |
| US7263717B1 (en) * | 2003-12-17 | 2007-08-28 | Sprint Communications Company L.P. | Integrated security framework and privacy database scheme |
| CN101047704A (en) * | 2006-04-05 | 2007-10-03 | 华为技术有限公司 | Data base access system, device and method based on session initiate protocol network |
| CN101355427A (en) * | 2008-07-22 | 2009-01-28 | 中国移动通信集团江苏有限公司 | Internally-control safety method for information gateway-service support system |
-
2009
- 2009-03-24 CN CN200910080856A patent/CN101515931B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7263717B1 (en) * | 2003-12-17 | 2007-08-28 | Sprint Communications Company L.P. | Integrated security framework and privacy database scheme |
| CN1858738A (en) * | 2006-02-15 | 2006-11-08 | 华为技术有限公司 | Method and device for access data bank |
| CN101047704A (en) * | 2006-04-05 | 2007-10-03 | 华为技术有限公司 | Data base access system, device and method based on session initiate protocol network |
| CN101355427A (en) * | 2008-07-22 | 2009-01-28 | 中国移动通信集团江苏有限公司 | Internally-control safety method for information gateway-service support system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107784221A (en) * | 2016-08-30 | 2018-03-09 | 阿里巴巴集团控股有限公司 | Authority control method, service providing method, device, system and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101515931A (en) | 2009-08-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101515931B (en) | Method for enhancing the database security based on agent way | |
| Panchal et al. | Security issues in IIoT: A comprehensive survey of attacks on IIoT and its countermeasures | |
| CN103310161B (en) | A kind of means of defence for Database Systems and system | |
| CN114978584A (en) | Network security protection safety method and system based on unit cell | |
| CN111917714B (en) | Zero trust architecture system and use method thereof | |
| US8601580B2 (en) | Secure operating system/web server systems and methods | |
| CN104468632A (en) | Loophole attack prevention method, device and system | |
| CN105430000A (en) | Cloud computing security management system | |
| CN101355459B (en) | Method for monitoring network based on credible protocol | |
| CN103117998B (en) | A kind of safety encryption based on JavaEE application system | |
| CN108259478B (en) | Safety protection method based on industrial control terminal equipment interface HOOK | |
| CN101534300A (en) | System protection framework combining multi-access control mechanism and method thereof | |
| CN107276986B (en) | Method, device and system for protecting website through machine learning | |
| CN113114647A (en) | Network security risk detection method and device, electronic equipment and storage medium | |
| US8978150B1 (en) | Data recovery service with automated identification and response to compromised user credentials | |
| CN101789942A (en) | Method for preventing sensitive data from betraying confidential matters and device thereof | |
| CN108694329B (en) | Mobile intelligent terminal security event credible recording system and method based on combination of software and hardware | |
| CN102325132B (en) | System level safety domain name system (DNS) protection method | |
| CN111131273A (en) | Internet access control system for network engineering | |
| CN105790935A (en) | Independent-software-and-hardware-technology-based trusted authentication server | |
| CN107682346A (en) | A kind of fast positioning and identifying system and method for CSRF attacks | |
| CN113343197A (en) | Industrial internet intrusion detection and defense method and device | |
| CN107454055B (en) | Method, device and system for protecting website through safe learning | |
| Bhatia et al. | Vulnerability Assessment and Penetration Testing | |
| CN111756747A (en) | Firewall network security joint control method and system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120919 Termination date: 20130324 |